In our last installment, we talked about four factors that put associations at particular risk of a cyber breach. One reason was focused on the use of volunteers -- the lifeblood of most not-for-profits.
As a reminder, reasons why the use of volunteers can increase the likelihood of an association becoming the victim of a cyber-attack include:
- Fear of alienating volunteers with onerous cyber security requirements and procedures
- Practice of providing information in unprotected formats for volunteers to work on
- Concern about how we think volunteers will react
Experts agree the best protection against hackers is informed and engaged staff. They also agree that all the technology in the world will not protect an organization -- any organization -- from uninformed or uninvolved authenticated users who do the wrong thing, either intentionally or accidentally. This is particularly true of volunteers. What we need to remember is that by definition, volunteers are there to help, not hurt.
What Associations Do
Associations often make assumptions that volunteers will not follow rules and that they can’t be asked to change passwords or follow appropriate procedures. Nonsense.
What Associations Should Do
Associations need to establish best practices and policies for email usage, sensitive data protection, file access, web browsing, password requirements, etc. And -- here’s the tough part -- they need to take a day or two to train everyone -- paid or unpaid workers and those working full-time, part-time or only occasionally. In other words, staff AND volunteers.
The focus of the training provided should be on:
Cyber security policies that are in place. Everyone needs to understand the reasoning behind each policy:
- Overall awareness of cyber security issues, e.g., why cybercrime is growing at such an alarming rate
- How to identify and avoid common internet scams including phishing, spear phishing, ransomware, etc.
- How to keep association devices such as cell phones, laptops, and tablets safe from damage and thieves
- Protecting sensitive association data when using public Wi-Fi, risks associated with using social media, etc.
Once training has occurred, both volunteers and staff need to be held professionally accountable. Associations that treat their volunteers like professional staff -- with respect and with a similar expectation of staff, often get far better results.
Stay tuned for upcoming articles addressing cyber risks that impact associations. Look out for our next installment in this series (in September 2017) entitled Do You Know Where Your Data Is?
Cyber security articles are written by proLearning innovations. Contact proLearning to learn more about their IT Security Training Program for Employees and Volunteers and other offerings designed to help keep your association safe.
Taking control of your volunteer base in order to improve your association's cybersecurity begins with good governance. In November, CSAE is holding two Governance Forum events that could help with your overall processes in this regard. The first will be held in Ottawa and the second in Calgary -- don't miss out.